memf_linux/

ipc.rs

//! Linux System V IPC object enumeration.
//!
//! Enumerates shared memory segments, semaphores, and message queues from
//! kernel memory by walking the `shm_ids` and `sem_ids` structures. These
//! IPC mechanisms can be used for covert data exchange between processes
//! and are relevant for detecting process collaboration or C2 channels.

use memf_core::object_reader::ObjectReader;
use memf_format::PhysicalMemoryProvider;

use crate::Result;

/// Information about a System V shared memory segment.
#[derive(Debug, Clone, serde::Serialize)]
pub struct IpcShmInfo {
    /// IPC key used to create/access the segment.
    pub key: u32,
    /// Shared memory identifier.
    pub shmid: u32,
    /// Size of the shared memory segment in bytes.
    pub size: u64,
    /// PID of the last process to operate on the segment.
    pub owner_pid: u32,
    /// PID of the process that created the segment.
    pub creator_pid: u32,
    /// Permission bits (rwxrwxrwx).
    pub permissions: u32,
    /// Number of current attaches.
    pub num_attaches: u32,
}

/// Information about a System V semaphore set.
#[derive(Debug, Clone, serde::Serialize)]
pub struct IpcSemInfo {
    /// IPC key used to create/access the semaphore set.
    pub key: u32,
    /// Semaphore set identifier.
    pub semid: u32,
    /// Number of semaphores in the set.
    pub num_sems: u32,
    /// PID of the owner.
    pub owner_pid: u32,
    /// Permission bits (rwxrwxrwx).
    pub permissions: u32,
}

/// Maximum number of IPC IDs to walk (cycle/runaway protection).
const MAX_IPC_IDS: usize = 32_768;

/// Maximum XArray traversal depth (prevents runaway on corrupt images).
const MAX_XA_DEPTH: usize = 8;

/// Number of slots per `xa_node`.
const XA_NODE_SLOTS: usize = 64;

/// Recursively walk an XArray starting from `xa_head`.
///
/// XArray encoding:
/// - `xa_head == 0` → empty tree
/// - `xa_head & 2 == 0` → direct entry (the pointer itself, after stripping
///   the low 2 tag bits)
/// - `xa_head & 2 == 2` → node pointer; strip low bits to get `xa_node*`,
///   then iterate all 64 slots recursively
///
/// Returns the list of non-null entry virtual addresses (tags stripped).
fn walk_xarray<P: memf_format::PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
    xa_head: u64,
    depth: usize,
    entries: &mut Vec<u64>,
) {
    if xa_head == 0 || depth > MAX_XA_DEPTH || entries.len() >= MAX_IPC_IDS {
        return;
    }

    if xa_head & 2 == 0 {
        // Direct entry — strip tag bits and push if non-null
        let ptr = xa_head & !3u64;
        if ptr != 0 {
            entries.push(ptr);
        }
        return;
    }

    // Node pointer — strip the low 2 bits to get the xa_node address
    let node_addr = xa_head & !3u64;

    // The `slots` field offset within xa_node tells us where the slot array
    // starts. If the ISF doesn't have xa_node defined we fall back to offset 0.
    let slots_offset = reader
        .symbols()
        .field_offset("xa_node", "slots")
        .unwrap_or(0);

    // Read all 64 slots (8 bytes each)
    let slots_vaddr = node_addr + slots_offset;
    let raw = match reader.read_bytes(slots_vaddr, XA_NODE_SLOTS * 8) {
        Ok(b) => b,
        Err(_) => return,
    };

    for i in 0..XA_NODE_SLOTS {
        if entries.len() >= MAX_IPC_IDS {
            break;
        }
        let slot = raw[i * 8..(i + 1) * 8]
            .try_into()
            .map_or(0, u64::from_le_bytes);
        if slot == 0 {
            continue;
        }
        walk_xarray(reader, slot, depth + 1, entries);
    }
}

/// Walk System V shared memory segments via the kernel `shm_ids` structure.
///
/// Returns `Ok(Vec::new())` if the `shm_ids` symbol is not found (profile
/// may not include it).
pub fn walk_shm_segments<P: PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
) -> Result<Vec<IpcShmInfo>> {
    let shm_ids_addr = match reader.symbols().symbol_address("shm_ids") {
        Some(addr) => addr,
        None => return Ok(Vec::new()),
    };

    let in_use: u32 = match reader.read_field(shm_ids_addr, "ipc_ids", "in_use") {
        Ok(v) => v,
        Err(_) => return Ok(Vec::new()),
    };

    if in_use == 0 {
        return Ok(Vec::new());
    }

    // Navigate: ipc_ids -> ipcs_idr -> idr_rt -> xa_head
    let ipcs_idr_offset = reader
        .symbols()
        .field_offset("ipc_ids", "ipcs_idr")
        .unwrap_or(0);
    let idr_rt_offset = reader.symbols().field_offset("idr", "idr_rt").unwrap_or(0);
    let xa_head_offset = reader
        .symbols()
        .field_offset("radix_tree_root", "xa_head")
        .unwrap_or(0);

    let xa_head_addr = shm_ids_addr + ipcs_idr_offset + idr_rt_offset + xa_head_offset;
    let first_entry: u64 = match reader.read_field(xa_head_addr, "radix_tree_root", "xa_head") {
        Ok(v) => v,
        Err(_) => return Ok(Vec::new()),
    };

    let mut segments = Vec::new();

    if first_entry == 0 {
        return Ok(segments);
    }

    // Walk the full XArray/IDR radix tree rooted at xa_head.
    let mut addrs = Vec::new();
    walk_xarray(reader, first_entry, 0, &mut addrs);

    let shm_perm_offset = reader
        .symbols()
        .field_offset("shmid_kernel", "shm_perm")
        .unwrap_or(0);

    for addr in addrs {
        let perm_base = addr + shm_perm_offset;

        let key: u32 = match reader.read_field(perm_base, "kern_ipc_perm", "key") {
            Ok(v) => v,
            Err(_) => continue,
        };
        let id: u32 = match reader.read_field(perm_base, "kern_ipc_perm", "id") {
            Ok(v) => v,
            Err(_) => continue,
        };
        let mode: u32 = match reader.read_field(perm_base, "kern_ipc_perm", "mode") {
            Ok(v) => v,
            Err(_) => continue,
        };

        let size: u64 = match reader.read_field(addr, "shmid_kernel", "shm_segsz") {
            Ok(v) => v,
            Err(_) => continue,
        };
        let cprid: u32 = match reader.read_field(addr, "shmid_kernel", "shm_cprid") {
            Ok(v) => v,
            Err(_) => continue,
        };
        let lprid: u32 = match reader.read_field(addr, "shmid_kernel", "shm_lprid") {
            Ok(v) => v,
            Err(_) => continue,
        };
        let nattch: u32 = match reader.read_field(addr, "shmid_kernel", "shm_nattch") {
            Ok(v) => v,
            Err(_) => continue,
        };

        segments.push(IpcShmInfo {
            key,
            shmid: id,
            size,
            owner_pid: lprid,
            creator_pid: cprid,
            permissions: mode,
            num_attaches: nattch,
        });
    }

    Ok(segments)
}

/// Walk System V semaphore sets via the kernel `sem_ids` structure.
///
/// Returns `Ok(Vec::new())` if the `sem_ids` symbol is not found (profile
/// may not include it).
pub fn walk_semaphores<P: PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
) -> Result<Vec<IpcSemInfo>> {
    let sem_ids_addr = match reader.symbols().symbol_address("sem_ids") {
        Some(addr) => addr,
        None => return Ok(Vec::new()),
    };

    let in_use: u32 = match reader.read_field(sem_ids_addr, "ipc_ids", "in_use") {
        Ok(v) => v,
        Err(_) => return Ok(Vec::new()),
    };

    if in_use == 0 {
        return Ok(Vec::new());
    }

    // Navigate: ipc_ids -> ipcs_idr -> idr_rt -> xa_head
    let ipcs_idr_offset = reader
        .symbols()
        .field_offset("ipc_ids", "ipcs_idr")
        .unwrap_or(0);
    let idr_rt_offset = reader.symbols().field_offset("idr", "idr_rt").unwrap_or(0);
    let xa_head_offset = reader
        .symbols()
        .field_offset("radix_tree_root", "xa_head")
        .unwrap_or(0);

    let xa_head_addr = sem_ids_addr + ipcs_idr_offset + idr_rt_offset + xa_head_offset;
    let first_entry: u64 = match reader.read_field(xa_head_addr, "radix_tree_root", "xa_head") {
        Ok(v) => v,
        Err(_) => return Ok(Vec::new()),
    };

    let mut semaphores = Vec::new();

    if first_entry == 0 {
        return Ok(semaphores);
    }

    // Walk the full XArray/IDR radix tree rooted at xa_head.
    let mut addrs = Vec::new();
    walk_xarray(reader, first_entry, 0, &mut addrs);

    let sem_perm_offset = reader
        .symbols()
        .field_offset("sem_array", "sem_perm")
        .unwrap_or(0);

    for addr in addrs {
        let perm_base = addr + sem_perm_offset;

        let key: u32 = match reader.read_field(perm_base, "kern_ipc_perm", "key") {
            Ok(v) => v,
            Err(_) => continue,
        };
        let id: u32 = match reader.read_field(perm_base, "kern_ipc_perm", "id") {
            Ok(v) => v,
            Err(_) => continue,
        };
        let mode: u32 = match reader.read_field(perm_base, "kern_ipc_perm", "mode") {
            Ok(v) => v,
            Err(_) => continue,
        };

        let nsems: u32 = match reader.read_field(addr, "sem_array", "sem_nsems") {
            Ok(v) => v,
            Err(_) => continue,
        };
        // sem_array doesn't have a direct PID field; use sem_otime_high as a
        // proxy, falling back to 0 when the field is absent from the profile.
        let owner_pid: u32 = reader
            .read_field(addr, "sem_array", "sem_otime_high")
            .unwrap_or(0);

        semaphores.push(IpcSemInfo {
            key,
            semid: id,
            num_sems: nsems,
            owner_pid,
            permissions: mode,
        });
    }

    Ok(semaphores)
}

#[cfg(test)]
mod tests {
    use super::*;
    use memf_core::test_builders::{flags, PageTableBuilder, SyntheticPhysMem};
    use memf_core::vas::{TranslationMode, VirtualAddressSpace};
    use memf_symbols::isf::IsfResolver;
    use memf_symbols::test_builders::IsfBuilder;

    /// Build an ObjectReader with NO IPC symbols at all — simulates a profile
    /// that does not contain `shm_ids` or `sem_ids`.
    fn make_empty_reader() -> ObjectReader<SyntheticPhysMem> {
        let isf = IsfBuilder::new().build_json();
        let resolver = IsfResolver::from_value(&isf).unwrap();
        let vaddr: u64 = 0xFFFF_8000_0010_0000;
        let paddr: u64 = 0x0080_0000;
        let data = vec![0u8; 4096];
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        ObjectReader::new(vas, Box::new(resolver))
    }

    /// Build an ObjectReader with IPC struct definitions and a single shared
    /// memory segment laid out in synthetic memory.
    fn make_shm_reader(data: &[u8], vaddr: u64, paddr: u64) -> ObjectReader<SyntheticPhysMem> {
        let isf = IsfBuilder::new()
            // ipc_ids: the top-level container for an IPC namespace
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            // idr: simplified — we treat it as having a pointer to the
            // radix tree root node
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            // radix_tree_root: simplified single-slot tree for testing
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            // kern_ipc_perm: common IPC permission header
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            // shmid_kernel: kernel shared memory descriptor
            .add_struct("shmid_kernel", 128)
            .add_field("shmid_kernel", "shm_perm", 0, "kern_ipc_perm")
            .add_field("shmid_kernel", "shm_segsz", 64, "unsigned long")
            .add_field("shmid_kernel", "shm_cprid", 72, "unsigned int")
            .add_field("shmid_kernel", "shm_lprid", 76, "unsigned int")
            .add_field("shmid_kernel", "shm_nattch", 80, "unsigned int")
            .add_symbol("shm_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        ObjectReader::new(vas, Box::new(resolver))
    }

    #[test]
    fn walk_shm_no_symbol() {
        let reader = make_empty_reader();
        let result = walk_shm_segments(&reader).unwrap();
        assert!(
            result.is_empty(),
            "no shm_ids symbol should yield empty vec"
        );
    }

    #[test]
    fn walk_sem_no_symbol() {
        let reader = make_empty_reader();
        let result = walk_semaphores(&reader).unwrap();
        assert!(
            result.is_empty(),
            "no sem_ids symbol should yield empty vec"
        );
    }

    #[test]
    fn walk_shm_in_use_zero_returns_empty() {
        // shm_ids present but in_use == 0 → return empty immediately
        let vaddr: u64 = 0xFFFF_8000_0010_0000;
        let paddr: u64 = 0x0080_0000;
        let data = vec![0u8; 4096];
        // in_use at offset 0 = 0 (already zeroed)
        let _ = data[0]; // keep lint happy

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            .add_struct("shmid_kernel", 128)
            .add_field("shmid_kernel", "shm_perm", 0, "kern_ipc_perm")
            .add_field("shmid_kernel", "shm_segsz", 64, "unsigned long")
            .add_field("shmid_kernel", "shm_cprid", 72, "unsigned int")
            .add_field("shmid_kernel", "shm_lprid", 76, "unsigned int")
            .add_field("shmid_kernel", "shm_nattch", 80, "unsigned int")
            .add_symbol("shm_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_shm_segments(&reader).unwrap();
        assert!(result.is_empty(), "in_use == 0 should yield empty vec");
    }

    #[test]
    fn walk_sem_in_use_zero_returns_empty() {
        // sem_ids present but in_use == 0 → return empty immediately
        let vaddr: u64 = 0xFFFF_8000_0020_0000;
        let paddr: u64 = 0x0090_0000;
        let data = vec![0u8; 4096]; // in_use at offset 0 = 0

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            .add_struct("sem_array", 128)
            .add_field("sem_array", "sem_perm", 0, "kern_ipc_perm")
            .add_field("sem_array", "sem_nsems", 64, "unsigned int")
            .add_field("sem_array", "sem_otime_high", 68, "unsigned int")
            .add_symbol("sem_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_semaphores(&reader).unwrap();
        assert!(
            result.is_empty(),
            "in_use == 0 should yield empty vec for semaphores"
        );
    }

    // -----------------------------------------------------------------------
    // walk_semaphores: sem_ids present, in_use > 0 but xa_head == 0 → empty
    // -----------------------------------------------------------------------

    #[test]
    fn walk_sem_in_use_nonzero_xa_head_zero_returns_empty() {
        // sem_ids present with in_use = 1, but radix_tree_root.xa_head == 0.
        // The walker reads first_entry == 0 and returns Ok(empty).
        let vaddr: u64 = 0xFFFF_8800_00A0_0000;
        let paddr: u64 = 0x00B0_0000;
        let mut data = vec![0u8; 4096];

        // ipc_ids.in_use (u32 at offset 0) = 1
        data[0..4].copy_from_slice(&1u32.to_le_bytes());
        // ipcs_idr at offset 8; idr_rt at offset 0 within idr = offset 8 overall;
        // radix_tree_root.xa_head at offset 0 within rtr = offset 8 overall.
        // All remaining bytes are 0 → xa_head == 0 → first_entry == 0 → empty.

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            .add_struct("sem_array", 128)
            .add_field("sem_array", "sem_perm", 0, "kern_ipc_perm")
            .add_field("sem_array", "sem_nsems", 64, "unsigned int")
            .add_field("sem_array", "sem_otime_high", 68, "unsigned int")
            .add_symbol("sem_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_semaphores(&reader).unwrap_or_default();
        assert!(
            result.is_empty(),
            "xa_head==0 with in_use>0 should yield empty semaphore list"
        );
    }

    // -----------------------------------------------------------------------
    // walk_shm_segments: shm_ids present, in_use > 0 but xa_head == 0 → empty
    // -----------------------------------------------------------------------

    #[test]
    fn walk_shm_in_use_nonzero_xa_head_zero_returns_empty() {
        // shm_ids present with in_use = 1 but xa_head == 0 → empty.
        let vaddr: u64 = 0xFFFF_8800_00C0_0000;
        let paddr: u64 = 0x00D0_0000;
        let mut data = vec![0u8; 4096];

        // ipc_ids.in_use (u32 at offset 0) = 1
        data[0..4].copy_from_slice(&1u32.to_le_bytes());
        // xa_head pointer = 0 (all remaining bytes are zero)

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            .add_struct("shmid_kernel", 128)
            .add_field("shmid_kernel", "shm_perm", 0, "kern_ipc_perm")
            .add_field("shmid_kernel", "shm_segsz", 64, "unsigned long")
            .add_field("shmid_kernel", "shm_cprid", 72, "unsigned int")
            .add_field("shmid_kernel", "shm_lprid", 76, "unsigned int")
            .add_field("shmid_kernel", "shm_nattch", 80, "unsigned int")
            .add_symbol("shm_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_shm_segments(&reader).unwrap_or_default();
        assert!(
            result.is_empty(),
            "xa_head==0 with in_use>0 should yield empty shm list"
        );
    }

    // -----------------------------------------------------------------------
    // walk_semaphores: sem_ids present, in_use > 0, xa_head != 0 → loop body runs
    // Exercises lines 183-219: reads kern_ipc_perm.key/id/mode, sem_nsems, owner_pid.
    // -----------------------------------------------------------------------

    #[test]
    fn walk_semaphores_single_semaphore_set() {
        let vaddr: u64 = 0xFFFF_8800_00F0_0000;
        let paddr: u64 = 0x00F0_0000;
        let mut data = vec![0u8; 4096];

        // ipc_ids layout (sem_ids at vaddr):
        //   in_use  (u32 at offset 0)     = 1
        //   ipcs_idr (at offset 8): idr struct
        //     idr_rt (at offset 0 within idr = offset 8 overall): radix_tree_root
        //       xa_head (pointer at offset 0 within rtr = offset 8 overall)
        //         = vaddr + 0x200  → sem_array at offset 0x200 in same page

        data[0..4].copy_from_slice(&1u32.to_le_bytes()); // in_use = 1

        let sem_array_addr = vaddr + 0x200;
        data[8..16].copy_from_slice(&sem_array_addr.to_le_bytes()); // xa_head → sem_array

        // sem_array at offset 0x200:
        //   sem_perm.key    (u32 at +0) = 0xBEEF
        //   sem_perm.id     (u32 at +4) = 77
        //   sem_perm.mode   (u32 at +8) = 0o600
        //   sem_nsems       (u32 at +64) = 5
        //   sem_otime_high  (u32 at +68) = 999
        let base = 0x200usize;
        data[base..base + 4].copy_from_slice(&0xBEEFu32.to_le_bytes());
        data[base + 4..base + 8].copy_from_slice(&77u32.to_le_bytes());
        data[base + 8..base + 12].copy_from_slice(&0o600u32.to_le_bytes());
        data[base + 64..base + 68].copy_from_slice(&5u32.to_le_bytes());
        data[base + 68..base + 72].copy_from_slice(&999u32.to_le_bytes());

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            .add_struct("sem_array", 128)
            .add_field("sem_array", "sem_perm", 0, "kern_ipc_perm")
            .add_field("sem_array", "sem_nsems", 64, "unsigned int")
            .add_field("sem_array", "sem_otime_high", 68, "unsigned int")
            .add_symbol("sem_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_semaphores(&reader).unwrap();
        assert_eq!(result.len(), 1, "should find one semaphore set");
        assert_eq!(result[0].key, 0xBEEF);
        assert_eq!(result[0].semid, 77);
        assert_eq!(result[0].num_sems, 5);
        assert_eq!(result[0].owner_pid, 999);
        assert_eq!(result[0].permissions, 0o600);
    }

    // -----------------------------------------------------------------------
    // walk_shm_segments: in_use read fails (ipc_ids.in_use field absent) → empty
    // Exercises the Err branch at line 64 in walk_shm_segments.
    // -----------------------------------------------------------------------

    #[test]
    fn walk_shm_in_use_read_fails_returns_empty() {
        // shm_ids symbol present but ipc_ids.in_use field NOT in ISF →
        // read_field(shm_ids_addr, "ipc_ids", "in_use") returns Err → Ok(Vec::new())
        let vaddr: u64 = 0xFFFF_8800_00F1_0000;
        let paddr: u64 = 0x00F1_0000;
        let data = vec![1u8; 4096]; // all non-zero but field lookup will fail

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            // deliberately omit "in_use" field → read_field returns Err
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_symbol("shm_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_shm_segments(&reader).unwrap();
        assert!(result.is_empty(), "missing in_use field → Err → empty vec");
    }

    // -----------------------------------------------------------------------
    // walk_semaphores: in_use read fails (ipc_ids.in_use field absent) → empty
    // Exercises the Err branch at line 152 in walk_semaphores.
    // -----------------------------------------------------------------------

    #[test]
    fn walk_sem_in_use_read_fails_returns_empty() {
        let vaddr: u64 = 0xFFFF_8800_00F2_0000;
        let paddr: u64 = 0x00F2_0000;
        let data = vec![1u8; 4096];

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            // deliberately omit "in_use" field
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_symbol("sem_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_semaphores(&reader).unwrap();
        assert!(result.is_empty(), "missing in_use field → Err → empty vec");
    }

    // -----------------------------------------------------------------------
    // IpcShmInfo / IpcSemInfo: Clone + Debug + Serialize
    // -----------------------------------------------------------------------

    #[test]
    fn ipc_shm_info_clone_debug_serialize() {
        let info = IpcShmInfo {
            key: 0xDEAD,
            shmid: 42,
            size: 65536,
            owner_pid: 100,
            creator_pid: 200,
            permissions: 0o644,
            num_attaches: 3,
        };
        let cloned = info.clone();
        assert_eq!(cloned.key, 0xDEAD);
        let dbg = format!("{cloned:?}");
        assert!(dbg.contains("shmid"));
        let json = serde_json::to_string(&cloned).unwrap();
        assert!(json.contains("\"key\":57005"));
    }

    #[test]
    fn ipc_sem_info_clone_debug_serialize() {
        let info = IpcSemInfo {
            key: 0xCAFE,
            semid: 7,
            num_sems: 4,
            owner_pid: 99,
            permissions: 0o755,
        };
        let cloned = info.clone();
        assert_eq!(cloned.semid, 7);
        let dbg = format!("{cloned:?}");
        assert!(dbg.contains("num_sems"));
        let json = serde_json::to_string(&cloned).unwrap();
        assert!(json.contains("\"semid\":7"));
    }

    // -----------------------------------------------------------------------
    // in_use > 1: verify no crash and exactly one entry is returned.
    // The XArray/IDR radix tree cannot be walked contiguously; only the first
    // entry (pointed to by xa_head) is recovered.
    // -----------------------------------------------------------------------

    #[test]
    fn walk_shm_in_use_gt1_returns_one_entry() {
        // in_use = 5 but only one shmid_kernel is actually reachable via xa_head.
        // The function must return exactly 1 entry without panicking or reading
        // out-of-bounds memory.
        let vaddr: u64 = 0xFFFF_8800_00E0_0000;
        let paddr: u64 = 0x00E0_0000;
        let mut data = vec![0u8; 4096];

        data[0..4].copy_from_slice(&5u32.to_le_bytes()); // in_use = 5

        let shm_kernel_addr = vaddr + 0x200;
        data[8..16].copy_from_slice(&shm_kernel_addr.to_le_bytes()); // xa_head → one shmid_kernel

        // shmid_kernel at offset 0x200
        let base = 0x200usize;
        data[base..base + 4].copy_from_slice(&0x1234u32.to_le_bytes()); // key
        data[base + 4..base + 8].copy_from_slice(&99u32.to_le_bytes()); // id
        data[base + 8..base + 12].copy_from_slice(&0o644u32.to_le_bytes()); // mode
        data[base + 64..base + 72].copy_from_slice(&8192u64.to_le_bytes()); // shm_segsz
        data[base + 72..base + 76].copy_from_slice(&500u32.to_le_bytes()); // shm_cprid
        data[base + 76..base + 80].copy_from_slice(&501u32.to_le_bytes()); // shm_lprid
        data[base + 80..base + 84].copy_from_slice(&1u32.to_le_bytes()); // shm_nattch

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            .add_struct("shmid_kernel", 128)
            .add_field("shmid_kernel", "shm_perm", 0, "kern_ipc_perm")
            .add_field("shmid_kernel", "shm_segsz", 64, "unsigned long")
            .add_field("shmid_kernel", "shm_cprid", 72, "unsigned int")
            .add_field("shmid_kernel", "shm_lprid", 76, "unsigned int")
            .add_field("shmid_kernel", "shm_nattch", 80, "unsigned int")
            .add_symbol("shm_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_shm_segments(&reader).unwrap();
        // Must return exactly 1 — XArray radix tree is not walked contiguously.
        assert_eq!(
            result.len(),
            1,
            "in_use=5 but only first xa_head entry is recoverable"
        );
        assert_eq!(result[0].key, 0x1234);
    }

    #[test]
    fn walk_sem_in_use_gt1_returns_one_entry() {
        // in_use = 3 but only one sem_array is reachable via xa_head.
        let vaddr: u64 = 0xFFFF_8800_00D0_0000;
        let paddr: u64 = 0x00D8_0000;
        let mut data = vec![0u8; 4096];

        data[0..4].copy_from_slice(&3u32.to_le_bytes()); // in_use = 3

        let sem_array_addr = vaddr + 0x200;
        data[8..16].copy_from_slice(&sem_array_addr.to_le_bytes()); // xa_head → one sem_array

        let base = 0x200usize;
        data[base..base + 4].copy_from_slice(&0xABCDu32.to_le_bytes()); // key
        data[base + 4..base + 8].copy_from_slice(&55u32.to_le_bytes()); // id
        data[base + 8..base + 12].copy_from_slice(&0o700u32.to_le_bytes()); // mode
        data[base + 64..base + 68].copy_from_slice(&2u32.to_le_bytes()); // sem_nsems
        data[base + 68..base + 72].copy_from_slice(&0u32.to_le_bytes()); // sem_otime_high

        let isf = IsfBuilder::new()
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            .add_struct("sem_array", 128)
            .add_field("sem_array", "sem_perm", 0, "kern_ipc_perm")
            .add_field("sem_array", "sem_nsems", 64, "unsigned int")
            .add_field("sem_array", "sem_otime_high", 68, "unsigned int")
            .add_symbol("sem_ids", vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, flags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_semaphores(&reader).unwrap();
        // Must return exactly 1 — XArray radix tree is not walked contiguously.
        assert_eq!(
            result.len(),
            1,
            "in_use=3 but only first xa_head entry is recoverable"
        );
        assert_eq!(result[0].key, 0xABCD);
        assert_eq!(result[0].semid, 55);
    }

    // -----------------------------------------------------------------------
    // XArray multi-entry tests (RED: currently only 0 or 1 entries returned)
    // -----------------------------------------------------------------------

    /// Build an ISF with all IPC-related structs plus `xa_node` (for XArray traversal).
    fn make_isf_with_xa_node() -> serde_json::Value {
        IsfBuilder::new()
            // ipc_ids
            .add_struct("ipc_ids", 64)
            .add_field("ipc_ids", "in_use", 0, "unsigned int")
            .add_field("ipc_ids", "ipcs_idr", 8, "idr")
            // idr
            .add_struct("idr", 32)
            .add_field("idr", "idr_rt", 0, "radix_tree_root")
            // radix_tree_root
            .add_struct("radix_tree_root", 16)
            .add_field("radix_tree_root", "xa_head", 0, "pointer")
            // xa_node: 64 slots of 8 bytes each, at offset 0
            .add_struct("xa_node", 512)
            .add_field("xa_node", "slots", 0, "pointer")
            // kern_ipc_perm
            .add_struct("kern_ipc_perm", 64)
            .add_field("kern_ipc_perm", "key", 0, "unsigned int")
            .add_field("kern_ipc_perm", "id", 4, "unsigned int")
            .add_field("kern_ipc_perm", "mode", 8, "unsigned int")
            // sem_array
            .add_struct("sem_array", 128)
            .add_field("sem_array", "sem_perm", 0, "kern_ipc_perm")
            .add_field("sem_array", "sem_nsems", 64, "unsigned int")
            .add_field("sem_array", "sem_otime_high", 68, "unsigned int")
            // shmid_kernel
            .add_struct("shmid_kernel", 128)
            .add_field("shmid_kernel", "shm_perm", 0, "kern_ipc_perm")
            .add_field("shmid_kernel", "shm_segsz", 64, "unsigned long")
            .add_field("shmid_kernel", "shm_cprid", 72, "unsigned int")
            .add_field("shmid_kernel", "shm_lprid", 76, "unsigned int")
            .add_field("shmid_kernel", "shm_nattch", 80, "unsigned int")
            .build_json()
    }

    #[test]
    fn walk_semaphores_returns_multiple_entries() {
        // Layout:
        //   Page A (vaddr_a / paddr_a): ipc_ids (sem_ids)
        //   Page B (vaddr_b / paddr_b): xa_node with 3 slots filled
        //   Page C (vaddr_c / paddr_c): sem_array[0]
        //   Page D (vaddr_d / paddr_d): sem_array[1]
        //   Page E (vaddr_e / paddr_e): sem_array[2]
        //
        // xa_head in ipc_ids.ipcs_idr.idr_rt.xa_head = (vaddr_b | 2)
        //   → node pointer (bit 1 set), strip low 2 bits → vaddr_b
        // xa_node.slots[0..3] = vaddr_c, vaddr_d, vaddr_e (direct entries)
        // xa_node.slots[3..63] = 0

        let vaddr_a: u64 = 0xFFFF_8800_0100_0000; // sem_ids
        let paddr_a: u64 = 0x00A0_0000;
        let vaddr_b: u64 = 0xFFFF_8800_0101_0000; // xa_node
        let paddr_b: u64 = 0x00A1_0000;
        let vaddr_c: u64 = 0xFFFF_8800_0102_0000; // sem_array[0]
        let paddr_c: u64 = 0x00A2_0000;
        let vaddr_d: u64 = 0xFFFF_8800_0103_0000; // sem_array[1]
        let paddr_d: u64 = 0x00A3_0000;
        let vaddr_e: u64 = 0xFFFF_8800_0104_0000; // sem_array[2]
        let paddr_e: u64 = 0x00A4_0000;

        let mut page_a = vec![0u8; 4096];
        let mut page_b = vec![0u8; 4096];
        let mut page_c = vec![0u8; 4096];
        let mut page_d = vec![0u8; 4096];
        let mut page_e = vec![0u8; 4096];

        // Page A: ipc_ids
        // in_use = 3
        page_a[0..4].copy_from_slice(&3u32.to_le_bytes());
        // ipcs_idr at offset 8; idr_rt at offset 0 within idr = offset 8;
        // xa_head at offset 0 within radix_tree_root = offset 8.
        // xa_head = vaddr_b | 2  (node pointer)
        let xa_head_val = vaddr_b | 2;
        page_a[8..16].copy_from_slice(&xa_head_val.to_le_bytes());

        // Page B: xa_node — 64 slots of 8 bytes each, starting at offset 0
        // slots[0] = vaddr_c (direct entry — bit1 clear)
        // slots[1] = vaddr_d
        // slots[2] = vaddr_e
        page_b[0..8].copy_from_slice(&vaddr_c.to_le_bytes());
        page_b[8..16].copy_from_slice(&vaddr_d.to_le_bytes());
        page_b[16..24].copy_from_slice(&vaddr_e.to_le_bytes());
        // slots[3..63] remain zero

        // Page C: sem_array[0]
        page_c[0..4].copy_from_slice(&0x1001u32.to_le_bytes()); // key
        page_c[4..8].copy_from_slice(&10u32.to_le_bytes()); // id
        page_c[8..12].copy_from_slice(&0o600u32.to_le_bytes()); // mode
        page_c[64..68].copy_from_slice(&3u32.to_le_bytes()); // num_sems
        page_c[68..72].copy_from_slice(&100u32.to_le_bytes()); // owner_pid

        // Page D: sem_array[1]
        page_d[0..4].copy_from_slice(&0x1002u32.to_le_bytes());
        page_d[4..8].copy_from_slice(&11u32.to_le_bytes());
        page_d[8..12].copy_from_slice(&0o644u32.to_le_bytes());
        page_d[64..68].copy_from_slice(&2u32.to_le_bytes());
        page_d[68..72].copy_from_slice(&101u32.to_le_bytes());

        // Page E: sem_array[2]
        page_e[0..4].copy_from_slice(&0x1003u32.to_le_bytes());
        page_e[4..8].copy_from_slice(&12u32.to_le_bytes());
        page_e[8..12].copy_from_slice(&0o755u32.to_le_bytes());
        page_e[64..68].copy_from_slice(&1u32.to_le_bytes());
        page_e[68..72].copy_from_slice(&102u32.to_le_bytes());

        let mut isf = make_isf_with_xa_node();
        // Inject sem_ids symbol
        isf["symbols"]["sem_ids"] = serde_json::json!({ "address": vaddr_a });

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr_a, paddr_a, flags::WRITABLE)
            .write_phys(paddr_a, &page_a)
            .map_4k(vaddr_b, paddr_b, flags::WRITABLE)
            .write_phys(paddr_b, &page_b)
            .map_4k(vaddr_c, paddr_c, flags::WRITABLE)
            .write_phys(paddr_c, &page_c)
            .map_4k(vaddr_d, paddr_d, flags::WRITABLE)
            .write_phys(paddr_d, &page_d)
            .map_4k(vaddr_e, paddr_e, flags::WRITABLE)
            .write_phys(paddr_e, &page_e)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_semaphores(&reader).unwrap();
        assert_eq!(
            result.len(),
            3,
            "XArray node with 3 slots must yield 3 semaphore sets"
        );

        // Collect keys for order-independent comparison
        let mut keys: Vec<u32> = result.iter().map(|s| s.key).collect();
        keys.sort_unstable();
        assert_eq!(keys, vec![0x1001, 0x1002, 0x1003]);
    }

    #[test]
    fn walk_msgqueues_returns_multiple_entries() {
        // Same XArray node layout, but for message queues (msq_queue → sem_ids
        // placeholder: we reuse walk_semaphores with sem_ids to test multi-entry).
        // This test verifies that a second independent XArray with 3 entries also
        // produces 3 results, using distinct addresses from the semaphore test.

        let vaddr_a: u64 = 0xFFFF_8800_0200_0000;
        let paddr_a: u64 = 0x00B0_0000;
        let vaddr_b: u64 = 0xFFFF_8800_0201_0000;
        let paddr_b: u64 = 0x00B1_0000;
        let vaddr_c: u64 = 0xFFFF_8800_0202_0000;
        let paddr_c: u64 = 0x00B2_0000;
        let vaddr_d: u64 = 0xFFFF_8800_0203_0000;
        let paddr_d: u64 = 0x00B3_0000;
        let vaddr_e: u64 = 0xFFFF_8800_0204_0000;
        let paddr_e: u64 = 0x00B4_0000;

        let mut page_a = vec![0u8; 4096];
        let mut page_b = vec![0u8; 4096];
        let mut page_c = vec![0u8; 4096];
        let mut page_d = vec![0u8; 4096];
        let mut page_e = vec![0u8; 4096];

        page_a[0..4].copy_from_slice(&3u32.to_le_bytes()); // in_use = 3
        let xa_head_val = vaddr_b | 2;
        page_a[8..16].copy_from_slice(&xa_head_val.to_le_bytes());

        page_b[0..8].copy_from_slice(&vaddr_c.to_le_bytes());
        page_b[8..16].copy_from_slice(&vaddr_d.to_le_bytes());
        page_b[16..24].copy_from_slice(&vaddr_e.to_le_bytes());

        // sem_array objects (key, id, mode, num_sems, owner_pid)
        page_c[0..4].copy_from_slice(&0x2001u32.to_le_bytes());
        page_c[4..8].copy_from_slice(&20u32.to_le_bytes());
        page_c[8..12].copy_from_slice(&0o600u32.to_le_bytes());
        page_c[64..68].copy_from_slice(&5u32.to_le_bytes());

        page_d[0..4].copy_from_slice(&0x2002u32.to_le_bytes());
        page_d[4..8].copy_from_slice(&21u32.to_le_bytes());
        page_d[8..12].copy_from_slice(&0o644u32.to_le_bytes());
        page_d[64..68].copy_from_slice(&4u32.to_le_bytes());

        page_e[0..4].copy_from_slice(&0x2003u32.to_le_bytes());
        page_e[4..8].copy_from_slice(&22u32.to_le_bytes());
        page_e[8..12].copy_from_slice(&0o755u32.to_le_bytes());
        page_e[64..68].copy_from_slice(&3u32.to_le_bytes());

        let mut isf = make_isf_with_xa_node();
        isf["symbols"]["sem_ids"] = serde_json::json!({ "address": vaddr_a });

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr_a, paddr_a, flags::WRITABLE)
            .write_phys(paddr_a, &page_a)
            .map_4k(vaddr_b, paddr_b, flags::WRITABLE)
            .write_phys(paddr_b, &page_b)
            .map_4k(vaddr_c, paddr_c, flags::WRITABLE)
            .write_phys(paddr_c, &page_c)
            .map_4k(vaddr_d, paddr_d, flags::WRITABLE)
            .write_phys(paddr_d, &page_d)
            .map_4k(vaddr_e, paddr_e, flags::WRITABLE)
            .write_phys(paddr_e, &page_e)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_semaphores(&reader).unwrap();
        assert_eq!(
            result.len(),
            3,
            "second XArray node with 3 slots must yield 3 entries"
        );

        let mut keys: Vec<u32> = result.iter().map(|s| s.key).collect();
        keys.sort_unstable();
        assert_eq!(keys, vec![0x2001, 0x2002, 0x2003]);
    }

    #[test]
    fn walk_shm_single_segment() {
        let vaddr: u64 = 0xFFFF_8000_0010_0000;
        let paddr: u64 = 0x0080_0000;
        let mut data = vec![0u8; 4096];

        // ipc_ids at offset 0 (vaddr + 0):
        //   in_use (u32 at +0) = 1
        //   ipcs_idr (at +8): idr struct
        //     idr_rt (at +0 within idr = +8 overall): radix_tree_root
        //       xa_head (pointer at +0 within radix_tree_root = +8 overall)
        //         points to shmid_kernel at vaddr + 0x200
        data[0..4].copy_from_slice(&1u32.to_le_bytes()); // in_use = 1

        let shm_kernel_addr = vaddr + 0x200;
        // xa_head pointer at offset 8 (ipc_ids.ipcs_idr.idr_rt.xa_head)
        data[8..16].copy_from_slice(&shm_kernel_addr.to_le_bytes());

        // shmid_kernel at offset 0x200:
        //   shm_perm.key (u32 at +0) = 0xDEAD
        //   shm_perm.id  (u32 at +4) = 42
        //   shm_perm.mode (u32 at +8) = 0o666 = 0x1B6
        //   shm_segsz (u64 at +64) = 65536
        //   shm_cprid (u32 at +72) = 1000
        //   shm_lprid (u32 at +76) = 2000
        //   shm_nattch (u32 at +80) = 3
        let base = 0x200;
        data[base..base + 4].copy_from_slice(&0xDEADu32.to_le_bytes());
        data[base + 4..base + 8].copy_from_slice(&42u32.to_le_bytes());
        data[base + 8..base + 12].copy_from_slice(&0x1B6u32.to_le_bytes());
        data[base + 64..base + 72].copy_from_slice(&65536u64.to_le_bytes());
        data[base + 72..base + 76].copy_from_slice(&1000u32.to_le_bytes());
        data[base + 76..base + 80].copy_from_slice(&2000u32.to_le_bytes());
        data[base + 80..base + 84].copy_from_slice(&3u32.to_le_bytes());

        let reader = make_shm_reader(&data, vaddr, paddr);
        let segments = walk_shm_segments(&reader).unwrap();

        assert_eq!(segments.len(), 1);
        assert_eq!(segments[0].key, 0xDEAD);
        assert_eq!(segments[0].shmid, 42);
        assert_eq!(segments[0].size, 65536);
        assert_eq!(segments[0].creator_pid, 1000);
        assert_eq!(segments[0].owner_pid, 2000);
        assert_eq!(segments[0].permissions, 0x1B6);
        assert_eq!(segments[0].num_attaches, 3);
    }
}